My question was "OpenSSL.org" themselves doesn't support 0.9.8 post December 2015 @ https://www.openssl.org/blog/blog/2014/ ... -strategy/
"Back in October we announced the End Of Life of version 0.9.8. This version is currently only receiving security updates, and support will cease completely on 31st December 2015"

So, will Redhat/CentOS take the ownership of FIXING any new upcoming vulnerabilities post Dec' 2015?

Will REDHAT/CENTOS take the responsibility to find a solution and fix vulnerabilities, because there is nothing to BACKPORT from OpenSSL.org post Dec' 2015 for 0.9.8 version and continue supporting 0.9.8 RPM pacakge till 2017 for CentOS 5.X. (This was the intention behind my post)

Redhat already have responsibilty for fixing the bugs in the copy we use. The current version of openssl 0.9.8 from the openssl website is 0.9.8ze and the version in CentOS 5 is openssl-0.9.8e-32.el5_11.x86_64 yet the latest entry in the rpm changelog is dated "* Wed Dec 17 2014 Tomas Mraz <tmraz at redhat.com> 0.9.8e-32"

I went through the link about "Backporting Security Fixes" posted below and understood the concept of "backporting" with the given example of RHEL 6 and PHP 5.3.

But, the example case above is subtly different from the case of OpenSSL, let me quote:

Say, in January 2016/2017, there comes an announcement about a vulnerability in OpenSSL 0.9.8 version, but not on 1.0.0 or higher (because of change in architecture of OpenSSL 1.0.0 or higher); At this point in time, OpenSSL wouldn't research to fix the issue, because 0.9.8 is EOL.
Now, does RHEL/CENTOS do the necessary research to FIX the issue of 0.9.8 (because there is no fix given by OpenSSL in 1.0.0 or higher to BACKPORT). This is the clarity I am looking for.

And the below link about "Backporting Security Fixes" talks only about issues/vulnerabilities that are "fixed/addressed in upstream"

These questions would really need to be addressed to Redhat but I would expect them to fix it. CentOS does not fix things, it only repackages what Redhat provides to its customers. If you want the word straight from the horses mouth then you need to ask Redhat.

The "whatever change in architecture" that fixes the problem for 1.0.0 or higher is then backported to 0.9.8 (or an individual fix that corrects the problem is developed)
Similar development can be seen in kernel fixes...2.6.18 and 2.6.32 (for EL6) are long not supported anymore, but any bugs are fixed by either backporting the functionality from newer kernels or developing a fix to mitigate the issue if backporting is not an option due to functionality changes.

edit: I stand corrected, 2.6.32 is actually still supported until mid-2015...but since a lot of features have also been backported from newer kernels, I'd assume Redhat needs to develop fixes independently and not use kernel.org's latest 2.6.32 releases...

gulikoza wrote:edit: I stand corrected, 2.6.32 is actually still supported until mid-2015...but since a lot of features have also been backported from newer kernels, I'd assume Redhat needs to develop fixes independently and not use kernel.org's latest 2.6.32 releases...